List all expiring certificates on all domain joined servers

A colleague asked me if I could list all expiring certificates on all Domain Joined servers in the environment.
– Sure!

A few minutes later, a script that will connect to all Servers and list certificates that will expire in less than 90 days. I’m sure there are a thousand of scripts out there who does the same, and here is script number 1001.

get-childitemcert:LocalMachine\My-recurse|where-object{$_.NotAfter-gt(get-date)}|selectSubject,FriendlyName,Thumbprint,@{Name="Expires in (Days)";Expression={($_.NotAfter).subtract([DateTime]::Now).days}}|where"Expires in (Days)"-lt90

}

The script will get all Windows Server Computer Accounts, that are not expired and is not a virtual object (like a Cluster Service).
It will then connect to those servers and list all Certificates that will expire in less than 90 days.

Short and easy to use, and we did find 2 certificates that need to be replaced ASAP!